Firewalls: Access Control Lists
Good security practice dictates that the final rule in your ACL be “deny all.” Each packet that arrives is compared against the rules in the ACL from top to bottom, as it were. If it matches none of the entries, its fate is decided by the final rule. The deny-all rule tells the device that any packets which fall through to the bottom should be discarded. This practice commonly is called “whitelisting,” that is, accepting only what is explicitly allowed. “Blacklisting,” in contrast, works in the same way as the real-world use of the term. If something is on the list, it is forbidden; everything else is allowed.
Both methods have pros and cons. If you establish a whitelist, you run the risk of denying a good message that comes from an unknown—and therefore, not explicitly allowed—source. Further, a cracker has at his disposal tools which can manipulate the sending address. As such, if he knows a likely candidate for a whitelist—such as a known business partner—he can spoof that entity’s IP address so that the communication appears to come from a trusted source.
Blacklisting, on the other hand can be thwarted by attackers who change their sending address frequently, which actually has become standard operating procedure for the cretins who do this for a living. So it is far from a fool-proof defense. Still, if your network is experiencing an attack from a specific IP address—or if you notice a lot of the reconnaissance activity that typically is the precursor to an attack—you can blacklist that address.
One final point worth noting: as stated, when a packet arrives, it is compared to the entries in the ACL, top to bottom. Every entry represents a comparison that will have to occur until it finds a match or runs out of list. As such, removing unnecessary rules will improve the performance of the firewall and reduce packet traffic jams.
|